Remote working is often cited as one of the top reasons for the rise in cyber-crime in 2020, but it’s far from the only growing challenge for today’s CISOs. Let’s set aside zoom-bombing, phishing scams, and the weak link of at-home devices, and take a look at 5 unique recent security breaches and what we can learn about boosting the efficacy of vulnerability testing as a result.
Middleware Could Be Used for Recon, or as a Stepping Stone
Estee Lauder had 440 million records exposed in February of 2020, many of which were related to middleware that the company uses internally, such as messaging software, application services, and API management. Middleware could be the end-target of an attack, but it can also be used as a route to inject malware elsewhere in the network by uncovering information on operating systems or communication paths.
When security testing is limited, it often focuses on the weaknesses of crown jewel applications alone, and so blind spots and gaps in the network can be easily missed. It’s important to recognize that even what at first glance seems like ‘unimportant’ information can be used as a stepping stone for lateral movement or network reconnaissance.
Are On-premises Security Tools a Target?
FireEye disclosed in December that they had become the victims of a Nation-State attack. They described the breach as different from any of the tens of thousands of attacks they have responded to over the past 25 years, showing that new attack methods, or combinations of attack methods, are appearing all the time. FireEye’s red teaming and penetration testing tools were targeted and stolen in the attack, the same ones that the company uses to test their customer networks. These tools have yet to be leaked or utilized elsewhere, but could be used to uncover vulnerabilities against future targets, or simply exposed as a means to discredit FireEye directly.
A Call to Action to Shore up Credentials
An attack on Wishbone earlier this year, (the second large-scale data breach the company has suffered since 2017) has put credentials under the spotlight. 40 million records were leaked in the attack, including mobile numbers, dates of birth, Facebook and Twitter account details, and passwords, too. These passwords were not plaintext, but MD5-hashed, an algorithm that has been considered “cryptographically broken” since 2010, and a reminder that organizations need to make sure they are on top of updating their security protocols. When considering a platform like Wishbone that holds so many private records that pertain to minors, revisiting security processes to make sure that policies aren’t outdated is more essential than ever.
Companies relying on vulnerability scanning platforms take note. It’s important to focus on how attackers can access data, but also on up to date and prioritized mitigation to protect credentials if they become exposed. In this case, tokenizing or securely encrypting the data could have protected the users and stopped the data from being leaked and reused on the Dark Web.
The Shared Responsibility Model Gets Tested
Only 10% of consumers feel they have control over their personal data. Data leaks, such as the recent example of fitness company VShred, go some way to explaining why. The company was found to have exposed an AWS bucket containing the PII of tens of thousands of users, including sensitive ‘before and after’ photos, social security numbers, usernames, passwords, and more.
Dangerously, the response from the company suggested that they were unaware that users could anonymously browse and access this information, and that they had intentionally kept the bucket public so that users could download content such as meal plans.
Even small companies need to be able to show that they are protecting their customers’ data and are meeting compliance laws such as GDPR that demand thorough risk assessments over cloud-storage, as well as tight policy around retention and access.
Ransomware takes its Toll
2020 was a tough year for Australian-based Toll Group, which were the victim of two ransomware attacks in just three months. The first attack encrypted business-critical files using MailTo ransomware, also known as Netwalker. The second used NetFilm, a new variant of Nemty, that is thought to be distributed via exposed RDP, and uses AES-128 encryption to lock files.
Almost 9 months later, Toll is still feeling the impact of the attacks, including attempting to limit the damage caused by the 220 GB of data that was stolen, some of which was exposed on the Dark Web. The company has therefore started a 12-month cyber resilience program to shore up its defenses.
As over 1,000 companies call ransomware a risk factor for their organizations, 2021 could well be the year that security teams get proactive about network-based risks and vulnerabilities.
Taking Vulnerability Management to the Next Level in 2021
These 5 attacks are an important reminder to all security teams that the level of today’s cyber threat has advanced. As a result, our security validation and threat emulation practices must keep up. A gap was created on this front of security validation where periodic or manual pen testing cannot assess the risk from these threats, in both the sophistication and breadth of attacks. Enterprises have to look at tools that can emulate the latest attacks in a safe way to know if they are prepared. This is a new practice of continuous security validation that needs to be adopted.
The technologies chosen must support the secure management of a hybrid environment and provide intelligent data to support and prioritize mitigation to reduce your risk and prepare you for if the worst-case scenario comes knocking on your door.
Interested in seeing how Pcysys checks all the boxes? Schedule a demo.
Director of Content
The Good, Bad and Compromisable Aspects of Linux eBPF
2022 discoveries of new privilege escalation techniques Reading this blog will allow you to understand the eBPF mechanism and how a fairly small bug can lead to the compromise of the entire system. Executive summary Modern hacking techniques often use legitimate operating system tools for bad purposes. Such is the potential case with the common...
CVE-2022-22948: Sensitive Information Disclosure in VMware vCenter
New zero-day vulnerability joins a chain of recently discovered vulnerabilities capable of operating an end-to-end attack on ESXi. Organizations should evaluate risk and apply vCenter client patches immediately. Executive Summary Pentera Labs’ Senior Security Researcher, Yuval Lazar, discovered an Information Disclosure vulnerability impacting more than 500,000 appliances running default vCenter Server deployments. This finding is...
4 steps to knowing your exploitable attack surface
Originally published on Dark Reading. According to a Cisco CISO Benchmark survey, 17% of organizations had 100,000 or more daily security alerts in 2020, and its trajectory has only increased. Source: Cisco 2020 CISO Benchmark Survey 2021 only followed this trend with a record year of newly-discovered CVEs – 20,137 to be exact, topping the...